SMS Botnet 'SpamSoldier' Lures Victims With Fake Games

Researchers have uncovered an instance of an SMS botnet targeting Android users in the United States.

As botnets go, the Android SMS botnet was "an unsophisticated attack," Andrew Conway, a security researcher with Cloudmark, wrote on the company blog Dec. 16. An SMS message offering free games or other scams tricks users into downloading a malicious app from a third-party app store onto their Android devices. Once installed, the app can send SMS spam messages to other users without the user's permission or knowledge.

Lookout Mobile Security has dubbed this family of malware SpamSoldier and noted that the malicious app takes steps to hide its stealthy activities. The icon is removed from launcher so the user doesn't know the app is running, outgoing spam texts are not logged, and incoming SMS replies are intercepted so that the user "remains blissfully unaware," said Lookout's senior product manager Derek Halliday.

"You better have an unlimited message plan or your phone bill may come as a bit of a shock," Conway wrote on Cloudmark's blog.

Cloudmark researchers first saw the spam campaign on Oct. 26 with messages offering users a free SMS blocker. The second wave of spam messages began Nov. 10 offering free games, such as Grand Theft Auto 3 and Need for Speed Most Wanted. The third wave on Nov. 28 was a mix of free game offers and gift cards, such as offering a $1,000 Target gift cards.

The attacks have been fairly low-volume until recently, when spam volume jumped to over half a million SMS messages being sent per day.

How the Malware SpreadMalware distribution is limited as the malicious app is currently hosted only on third-party app stores. Cloudmark has identified ten malicious apps, to date, hosted on seven domains on a Hong Kong-based server.

Malicious apps with SpamSoldier have not yet been detected on any of the official app stores, Lookout's Halliday said.

The infection vector currently relies on text messages. Users receive an invitation via SMS to download a free version of a popular Android game, such as Angry Birds, Grand Theft Auto, May Payne, or The Need for Speed. The "spamvertised" application is actually a malicious app, and once it is installed onto an Android device, it contacts the command-and-control server. The C&C server gives the malware the latest message that needs to be spammed out along with a list of 100 U.S. phone numbers to send them to.

As soon as the malware finishes spamming those numbers, it obtains another list of numbers from the C&C server. If the spam campaign changes, C&C server also sends the infected handset the updated text

"Once it’s exhausted its list of phone numbers, it calls home to get a new list of 100 numbers – rinse and repeat – until the C&C either doesn’t respond, or the application is closed," Halliday said.

SpamSoldier's SMS activities can result in a high cellular bill for the user and also potentially slow down the carrier's network, Lookout said. Cloudmark pointed out this was a sign spammers have figured out a way to shift the costs of sending text messages to the victims.

What Users Can DoUsers are encourage to not install apps from third-party app stores. In this case, users are instructed to enable "unknown sources" under Android Settings to install apps from markets other than Google Play. Don't do that. While malicious apps have historically made its way onto Google Play, it is still much safer than the unofficial markets.

These apps also asked for permissions that "no Angry Bird should ever need to do," such as surfing the Web and sending SMS messages, Conway said. Users need to get in the habit of actually looking at what permissions an app is asking for, without blindly clicking yes when installing the app.

Users can also forward SMS spam messages they receive to 7726. This gives carriers and researchers access to real-time threats in order to identify major problems as they deveop.

Lookout also recommends downloading a mobile security app that scans for malware.

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service

//Stay Connected

Get Product Reviews, Deals, & the Latest News from PCMag

sign up

Plus, get a free copy of PCMag for your iPhone or iPad today.

Offer valid for new PCMag app downloads only. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy.

THANK YOU FOR SUBSCRIBING!

Please follow this link (or search for the PC Magazine app on your iPad or iPhone) to get your free issue. Offer valid for new app downloads.

//Featured Programs

//our current issue

Select Term:

24 issues for $29.99 ONLY $1.25 an issue! Lock in Your Savings!

12 issues for $19.99ONLY $1.67 an issue!

State

Country

This transaction is secure

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service